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Overview  of  the  CERT®  Resilience  Management  Model 
(CERT®-RMM) 


Jim  Cebula 

Technical  Manager  -  Cyber  Risk  Management,  CERT®  Division 

Jim  Cebula  is  the  Technical  Manager  of  the  Cyber  Risk  Management  team  in  the 
Cyber  Security  Solutions  Directorate  of  the  CERT  Division  at  the  Software 
Engineering  Institute  (SEI),  a  unit  of  Carnegie  Mellon  University. 

Cebula’s  current  activities  include  risk  management  methods  along  with  assessment 
and  management  of  operational  resilience  among  Federal  departments  and  agencies  as 
well  as  critical  infrastructure  and  key  resource  (CIKR)  providers.  He  is  the  co-author 
of  the  Taxonomy  of  Operational  Cyber  Security  Risks,  and  has  instructed  courses  in 
the  OCTAVE  method.  He  is  also  currently  a  co-PI  on  a  research  initiative  studying 
perceptions  of  risk.  He  joined  CERT  in  2009  after  spending  nearly  fifteen  years  in 
project  management,  IT  and  security  roles  supporting  government  agencies,  most 
recently  as  a  cyber  security  manager. 
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CERT®  Resilience  Management  Modei  (CERT-RMM) 


CERT  -RMM,  Version  1.1 


CERT  Resilience 
Management  Model 


■Mi 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Framework  for  managing  and 
improving  operational  resilience 


Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  White 


http://www.cert.org/resilience/ 


“...an  extensive  superset  of  the 
things  an  organization  could  do 
to  be  more  resilient.  ” 

—CERT-RMM  adopter 
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What  is  CERT-RMM? 


Guides  implementation  and  management  of  operational  resilience  activities 
Enables  and  promotes  the  convergence  of 

•  Business  Continuity,  COOP,  IT  disaster  recovery 

•  Information  security,  cybersecurity 

•  IT  operations 

Applicable  to  a  variety  of  organizations 

•  small  or  large 

•  simple  or  complex 


public  or  private 


Software  Engineering  Institute 
<  Mellon  I  nherslly 


How  was  CERT-RMM  developed? 


DR  and  BC 
knowledge  of 
financial 
industry 


Collaboration 
with  high- 
maturity 
organizations 


20+  years  of 
security  mgmt 
knowledge  at 
CERT 


Process 
improvement 
architecture  & 
experience 


800+ 

practices  for 
security,  BC, 
DR,  &  IT  ops 


CERT- 

RMM 


Piloting  in 
private  and 
government 
organizations 


CERT-RMM  codifies  best  practices  for  info,  sec.,  IT  DR,  and  BC  from  world  leading  organizations  and 

numerous  standards  and  codes  of  practice. 
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What  drove  development  of  CERT-RMM? 


Increasingly  complex  operational  environments 

Siloed  nature  of  operational  risk  activities 

Lack  of  common  language  or  taxonomy 

Overreliance  on  technical  approaches 

Lack  of  means  to  measure  organizational  capability 

Inability  to  confidently  predict  outcomes,  behaviors,  and  performance 
under  times  of  stress 
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CERT-RMM  -  The  Model 


Guidelines  and  practices  for 

•  converging  of  security,  business  continuity,  disaster  recovery,  and  IT  ops 

•  implementing,  managing,  and  sustaining  operational  resilience  activities 

•  managing  operational  risk  through  process 

•  measuring  and  institutionalizing  the  resilience  process 

Common  vernacular  and  basis  for  planning, 
communicating,  and  evaluating  improvements 


Focuses  on  “what,”  not  “how” 
Organized  into  26  process  areas 


vci*«io»k  I.) 


CERT’  Resilience 
Management  Model 

A  Mjturiry 

I  / f  Muikl  for 

fl  f  ’  Managing 

V  ^  I  Operational 

; 


Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  While 
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CERT-RMM  Process  Areas 


Access  Management 

Asset  Definition  and  Management 

Communications 

Compliance 

Controls  Management 

Enterprise  Focus 

Environmental  Control 

External  Dependencies 

Financial  Resource  Management 

Human  Resource  Management 

Identity  Management 

Incident  Management  &  Control 

Knowledge  &  Information  Mgmt. 


Measurement  and  Analysis 
Monitoring 

Organizational  Process  Focus 
Organizational  Process  Definition 
Organizational  Training  &  Awareness 
People  Management 
Resiliency  Requirements  Development 
Resiliency  Requirements  Management 
Resilient  Technical  Solution  Engr. 

Risk  Management 
Service  Continuity 
Technology  Management 
Vulnerability  Analysis  &  Resolution 
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Foundational  Elements 
of  CERT-RMM 
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Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
Risk  Management 

•  Operational  Risk  Management 
Convergence 

Organizational  Construct  for  Resilience 
Activities 

Capability  Dimension 

•  Process  Institutionalization 
Code  of  Practice  Crosswalk 
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The  possibility  of  suffering  harm 
or  loss 

A  source  of  danger 


RISK 

1 .  An  event  or  condition 

2.  A  consequence  or  impact  from  the  condition 

^ ^ ^ 

3.  An  uncertainty 

V _ J 

The  possibility  of  suffering  a  harmful  event 

Exposure  to  the  chance  of  injury  or  loss 

Identify 


Characterize 


Assess 


Prioritize 


Mitigate 


Avoid 


Reduce 


Accept 


Share 


Monitor 


Etc... 


I 
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RISK  Management 


Operational  Risk  Management 


A  form  of  risk  affecting  day-to-day 
business  operations 

A  very  broad  risk  category 

•  from  high-frequency,  low-impact 
to  low-frequency,  high-impact 

Types  of  Operational  Risks 

•  actions  of  people 

•  systems  and  technology  failures 

•  failed  internal  processes 

•  external  events 


Operational  resilience  emerges  from  effective  management  of  operational  risk. 
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Hurdles  to  Effective  Operational  Risk  &  Resilience  Mgmt. 

Vague  and  abstract  nature 
Compartmentalization 
Technology  focus 
Practice  proliferation 
Insufficient  funding 
Insufficient  success  metrics 
Discrete  nature  of  activity 
(Over)reliance  on  people 
Regulatory  climate 
Head-in-the-sand 
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Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 

Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Convergence 

A  fundamental  concept  in  managing  operational  resilience 

Refers  to  the  harmonization  of  operational  risk  management  activities 
that  have  similar  objectives  and  outcomes 

Operational  risk  management  activities  include  (but  are  not  limited  to) 

•  security  planning  and  management 

•  business  continuity  and  disaster  recovery 

•  IT  operations  and  service  delivery  management 

Other  support  activities  may  also  be  involved 

•  communications 

•  financial  management 

•  etc. 
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Convergence 


Enterprise  Risk  Management 
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Benefits  of  Convergence  and  Integration 

Similar  activities  are  bound  by  the  same  risk  drivers 

Allows  for  better  alignment  between  risk-based  activities  and 
organizational  risk  tolerances  and  appetite 

Eliminates  redundant  activities  (and  associated  costs) 

Forces  collaboration  between  activities  that  have  similar  objectives 

Enforces  a  mission  focus 

Facilitates  a  process  that  is  owned  across  the  organization 

Influences  how  operational  risk  and  resilience  management  work  is 
planned,  executed,  and  managed 
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CERT 


Software  Engineering  Institute 


Carnegie  Mellon  University 


Desired  Integrated  Approach 


Desired  Integrated  Approach 
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Enemies  of  Convergence 

Organizational  structures 

Traditional  funding  models 

Overuse  and  misuse  of  codes  of  practice 

Unclear  or  poorly  defined  and  communicated  risk  drivers 

Unclear  or  poorly  defined  enterprise  objectives,  strategic  objectives, 
and  critical  success  factors 

Lack  of  supporting  process  orientation  and  definition 
Lack  of  sponsorship  and  governance  for  the  process 
Lack  of  a  risk-aware  culture 
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Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
V  Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 

Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Organizational  Context  for 


Activities 
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Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 

V  Operational  Risk  Management 
Convergence 

V  Organizational  Construct  for 
Resilience  Activities 

Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Operational  Resilience  Starts  at  the  Asset  Level 


Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
V  Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 


Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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What  do  these  organizations  have  in  common? 


Tradition 

Protection 


Customer  Happiness 


Chain  of  Command 
Unit  Cohesion 
Regulations 


(c^ 


Qgpy  — Software  Engineering  Institute  Carnegie  Mellon  University 


CERT®  Operational  Resilience: 
Manage,  Protect,  and  Sustain 
Twitter  #CERTopRES 
©  2013  Carnegie  Mellon  University 


CERT-RMM  Combines  Two  Approaches 


Operational  Resilience 
Management  System 


What  to  do 


Process 

Institutionalization  and 
Improvement 


Making  it  stick 


Comprehensive  non- 
prescriptive  guidance  on 
what  to  do  to  manage 
operationai  resiiience 


Proven  guidance  for 
institutionaiizing  processes 
so  that  they  persist  over 
time 


Process  Dimension 


Capability  Dimension 
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Institutionalizing  a  Culture  of 


institutionalize  verb  (custom)  (UK  usually  institutionalise)  UK^>)) 
USaJ))) /,inf.sti'tju:.pn.a.laiz/<y|)/-'tu:-/  [T] 

to  make  something  become  part  of  a  particular  society,  systi 
organization 

What  was  once  an  infernal  event  has  now  ^:o77e  in  si 


Organizations  must  provi(de  explicit 
guidance  for  institutionalizing  resilience 
activities  so  that  they  persist  over  time. 


Ask  not  “how  well  am  I  performing  today?” 

Ask  “do  I  have  what  it  takes  to  sustain  high  performance  beyond  today?” 


Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
V  Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 


Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Lifecycle  View 


Plan  )  Design  /  Develop /Acquire  /Deploy 


Operate 


Retire 


Resilience  Engineering 


Protection  and  Sustainment  Activities 


To  improve  and  sustain  an  entity’s  operational  resilience,  it  is  not 
sufficient  to  improve  only  protection  and  sustainment  activities. 

Resilience  should  not  be  an  afterthought  bolt-on. 

Resilience  should  be  engineered  and  built  in. 


Resilience  Management  is  a  Total  Lifecycle  Concept. 
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Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
V  Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 


Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Code  of  Practice  Crosswalk 

Links  CERT-RMM  practices  to  commonly  used  codes  of  practice  and  standards,  including 

•  ANSI/ASISSPC.1-2009 

•  BS25999 

•  COBIT  4.1 

•  COSO  ERM  Framework 

•  CMMI 

•  FFIEC  BCP  Handbook 

•  ISO  20000-2 

•  ISO/I  EC  24762 

•  ISO/I  EC  24762 

•  ISO/IEC  27005 

•  ISO/IEC  31000 

•  NFPA1600 

•  PCI  DSS 

•  etc. 


Software  Engineering  Institute 


CERT®  Resilience  Management  Model 
(RMM)  vl.l:  Code  of  Piactice  Crosswalk 
Commercial  Version  1.1 

Keutn  G.  Pannage 
UsaR.  Youtg 

October  2011 

TECHNICAl.  NOTE 
CMU'Sei-2011-TN-012 

CERT*  Program 

minted  ditilsulcn  a.l;ect  tore  civyrgrl 

mgKVVMm.  K<  cnu  ed  j 


riiriiecie.MWkin 
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CERT-RMM  Code  of  Practice  Crosswalk 


Process  Area  Specific 
Goals  and  Specific 
Practices 

SC:SG5.SP4  Evaluate  Plan 
Test  Results 

Subpractices 


ANSI/ASIS 

SPC.1-2009 


BS25999-1: 

2006 


CMMI-Dev 


Compare  actual  test 
results  with  expected  test 
results  and  test 
objectives. 

Document  areas  of 
improvement  for  service 
continuity  plans. 


Extensive  Tabular  Crosswalk  between  CERT-RMM’s  26  process  areas  and 
251  specific  practices  and  key  industry  standards 
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Cornerstones  &  Foundational  Elements  of  CERT-RMM 


Operational  Resilience 
V  Operational  Risk  Management 
Convergence 

Organizational  Construct  for 
Resilience  Activities 


Protection  and  Sustainment 
Activities 

Institutionalization 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Organization  of  the  Model 


CERT®  Operational  Resilience: 
Manage,  Protect,  and  Sustain 
Twitter  #CERTopRES 
©2013  Carnegie  Mellon  University 


CERT 


Software  Engineering  Institute 


Carnegie  Mellon  University 


Process  Area  Structure  &  Components 


Example:  Service  Continuity  Process  Area 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Human  Resource  Management 

Resilient  Technical  Solution  Engr. 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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Example:  Service  Continuity  Process  Area 


SERVICE  CONTINUITY 


^Furpose^ 


The  purpose  of  Service  Continuity  is  to  ensure  the  continuity  of  essential 
operations  of  services  and  related  assets  if  a  disruption  occurs  as  a  result  of  an 
incident,  disaster,  or  other  disruptive  event. 


Introductory  Notes 

The  continuity  of  an  organization’s  service  delivery  is  a  paramount  concern  in 
the  organization’s  operational  resilience  activities.  The  organization  can  invest 
considerable  time  and  resources  in  attempting  to  prevent  a  range  of  potential 
disruptive  events,  but  no  organization  can  mitigate  all  risk.  As  a  result,  the 
organization  must  be  prepared  to  deal  with  the  consequences  of  a  disruption  to 
its  operations  at  any  time.  Significant  disruption  can  result  in  dire  circumstances 
for  the  organization,  even  bankruptcy  or  termination. 

^  ’  [q. 
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Example:  Service  Continuity  Process  Area 


Summary  of  Specific  Goals  and  Practices, 

SC:SG1  Prepare  for  Service  Continuity 

SC:SG1.SP1  Plan  for  Service  Continuity 

SC:SG1.SP2  Establish  Standards  and  Guidelines  for  Service  Continuity 
SC;SG2  Identify  and  Prioritize  High-Value  Services 

SC:SG2.SP1  Identify  the  Organization’s  High-Value  Services 
SC:SG2.SP2  Identify  Internal  and  External  Dependencies  and  Interdependencies 
SC:SG2.SP3  Identify  Vital  Organizational  Records  and  Databases 
SC:SG3  Develop  Service  Continuity  Plans 

SC:SG3.SP1  Identify  Plans  to  Be  Developed 

Develop  and  Document  Service  Continuity  Plans 
Assign  Staff  to  Service  Continuity  Plans 
Store  and  Secure  Service  Continuity  Plans 
Develop  Service  Continuity  Plan  Training 
SC:SG4  Validate  Service  Continuity  Plans 

SC:SGH.SP1  Validate  Plans  to  Requirements  and  Standards 
SC:SGH.SP2  Identify  and  Resolve  Plan  Cjonflicts 


SC:SG3.SP2 

SC:SG3.SP3 

SC:SG3.SP4 

SC:SG3.SP5 
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Example:  Service  Continuity  Process  Area 


SC.SCB.SPl  Identify  the  Organization's  High-Value  Services 


The  hi$h-ualue  services  of  the  organization  and  their  associated  assets  are  identified. 

The  identification  and  prioritization  of  the  organization's  high-value  services  as  strategic 
planning  activities  are  addressed  in  the  Enterprise  Focus  process  area.  This  practice  is 
included  here  to  emphasize  the  importance  of  prioritizing  high-value  services  as  afounda- 


Typical  work  products 


1.  Prioritized  list  of  high-value  organizational  services,  activities,  and  associated 
assets 

2.  Results  of  security  risk  assessment  and  business  impact  analyses 


Subpractices 


1.  Identify  the  organization’s  high-value  services,  associated  assets,  and  activities. 

2.  /Analyze  and  document  the  relative  value  of  providing  these  services  and  the 
resulting  impact  on  the  organization  if  these  services  are  interrupted. 

Consideration  of  the  consequences  of  the  loss  of  high-value  organizational  services 
is  t)^ically  performed  as  part  of  a  business  impact  analysis.  In  addition,  the  consc- 
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Using  the  Model 
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Using  CERT-RMM  for  improvement 


Evaluate 

Results 


Recognize 

Objective 

Determine 

Scope 


Implement 

Changes 


Analyze 

Gaps 
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CERT  Resilience  Management  Model  (CERT-RMM) 


CERT  -RMM,  Version  1.1 


CERT  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


http://www.cert.org/resilience/ 


Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  White 


/  Framework  for  managing  and 
improving  operational  resilience 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 

— CERT-RMM  adopter 
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For  FISMA  Compliance 


Access  Management 

Asset  Definition  and  Management 

Communications 

Compliance 

Controls  Management 

Enterprise  Focus 

Environmental  Control 

External  Dependencies 

Financial  Resource  Management 

Human  Resource  Management 

Identity  Management 

Incident  Management  &  Control 

Knowledge  &  Information  Mgmt 
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Measurement  and  Analysis 

Monitoring 

Organizational  Process  Focus 

Organizational  Process  Definition 

Organizational  Training  &  Awareness 

People  Management 

Resiliency  Requirements  Development 

Resiliency  Requirements  Management 

Resilient  Technical  Solution  Engr. 

Risk  Management 

Service  Continuity 

Technology  Management 

Vulnerability  Analysis  &  Resolution 
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For  Managing  Cloud  Computing 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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For  Managing  the  Insider  Threat  Challenge 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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For  Managing  Disaster  Recovery,  COOP,  and 
Business  Continuity  Poiicies 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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Distinguishing  Features  of  CERT-RMM 


Converges  key  operational  risk  management 
activities:  security,  BC/DR,  and  iT  operations 

Guides  implementation  and  management 

of  operational  resilience  activities 

Descriptive  rather  than  prescriptive: 
focuses  on  the  “what,”  not  the  “how” 


Provides  an  organizing  convention  for 
effective  seiection  and  deployment  of  codes 
of  practice  and  standards 

Guides  improvement  in  areas  where  an 
organization’s  capabiiity  does  not  equai  its 
desired  state 
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Distinguishing  Features  of  CERT-RMM  (Cont.) 

Improves  confidence  in  how  an  organization 
responds  in  times  of  operational  stress 

Provides  a  baseiine  from  which  to  perform  an  appraisai 

Enables  measurements  of  effectiveness 

Is  a  process  improvement  modei 

Enables  institutionalization 

Is  not  a  proprietary  model 
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Variety  of  Ways  to  Use  CERT-RMM 


Starting  point  for  socializing  important  harmonization  and  convergence 
principles  across  security,  business  continuity,  and  IT  operations  activities 

Reference  model  for  understanding  the  scope  of  managing  operational 
resilience 

Process  improvement  model  to  catalyze  a  process  improvement  effort 
Baseline  from  which  to  perform  an  appraisal  of  an  organization’s  capability 


Guide  for  improvement  in  areas 
where  an  organization’s  capability 
does  not  equal  its  desired  state 

Organizing  construct  for  codes  of 
practice 

Taxonomy 
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Notices 


Copyright  2014  Carnegie  Mellon  University 

This  material  is  based  upon  work  funded  and  supported  by  Department  of  Homeland  Security  under  Contract  No. 
FA8721-05-C-0003  with  Carnegie  Mellon  University  for  the  operation  of  the  Software  Engineering  Institute,  a  federally 
funded  research  and  development  center  sponsored  by  the  United  States  Department  of  Defense. 

Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those  of  the  author(s)  and  do 
not  necessarily  reflect  the  views  of  Department  of  Homeland  Security  or  the  United  States  Department  of  Defense. 

NO  WARRANTY.  THIS  CARNEGIE  MELLON  UNIVERSITY  AND  SOFTWARE  ENGINEERING  INSTITUTE 
MATERIAL  IS  FURNISHED  ON  AN  “AS-IS”  BASIS.  CARNEGIE  MELLON  UNIVERSITY  MAKES  NO 
WARRANTIES  OF  ANY  KIND,  EITHER  EXPRESSED  OR  IMPLIED,  AS  TO  ANY  MATTER  INCLUDING,  BUT 
NOT  LIMITED  TO,  WARRANTY  OF  FITNESS  FOR  PURPOSE  OR  MERCHANTABILITY,  EXCLUSIVITY,  OR 
RESULTS  OBTAINED  FROM  USE  OF  THE  MATERIAL.  CARNEGIE  MELLON  UNIVERSITY  DOES  NOT 
MAKE  ANY  WARRANTY  OF  ANY  KIND  WITH  RESPECT  TO  FREEDOM  FROM  PATENT,  TRADEMARK,  OR 
COPYRIGHT  INFRINGEMENT. 

This  material  has  been  approved  for  public  release  and  unlimited  distribution  except  as  restricted  below. 

This  material  may  be  reproduced  in  its  entirety,  without  modification,  and  freely  distributed  in  written  or  electronic  form 
without  requesting  formal  permission.  Permission  is  required  for  any  other  use.  Requests  for  permission  should  be 
directed  to  the  Software  Engineering  Institute  at  permission@sei.cmu.edu. 
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SEI  Training 


Introduction  to  the  CERT  Resilience  Management  Model 

February  18  -  20,  2014  (SEI,  Arlington,  VA) 

June  17-19,  2014  (SEI,  Pittsburgh,  PA) 

See  Materials  Widget  for  course  document 
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